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FOREWORD 


''his  document  reports  on  a  continuing  research  effort  in  secure 
computer  systems  undertaken  by  Case  Western  Reserve  University  under 
Contract  No.  F19628-73-C-01P5, 

This  report  attempts  to  specify  requirements  for  a  secure  com¬ 
puter  system  based  upon  the  development  and  verification  of  a  mathe¬ 
matical  model.  The  Air  Force  has  required  the  contractor  to  model  the 
military  security  system  by  providing  simple  and  effective  security 
controls  and  has  discouraged  attempts  to  provide  broad,  general  securi¬ 
ty  controls  which  directly  address  such  issues  as  "mutually  suspicious 
subsystems." 

This  report  identifies  sufficient  characteristics  for  a  file  sys¬ 
tem  within  a  multilevel  secure  computer  system.  ESD  has  already  applied 
th^se  results  to  enhance  the  file  system  design  of  the  Multics  system 
'ecently  acquired  by  the  Air  Force  Data  Services  Center. 
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1.  GENERAL  INTRODUCTION 


1.1  A  Brief  Discussion  of  the  Problem 


As  increasing  amounts  of  data  are  committed  to  large  on-line  data 
bases,  a  problem  is  increasing  importance  and  complexity  is  that  of  en¬ 
suring  security  is  the  data.  In  general,  an  attack  on  the  data  security 
problem  is  made  more  difficult  by  the  lack  of  a  universally-accepted 
definition  of  security.  In  this  project,  the  particular  objective  is 
the  introduction  of  the  governmental  security  scheme  into  a  multi - 
programmed  computer  environment.  (See  Preliminary  Notes  on  the  Design 
of  Secure  Military  Systems  in  [9]). 

Initial  investigations  Indicate  that  current  computer  hardware 
designs  will  not  require  major  changes  to  accomodate  adequate  security 
provisions.  Hence,  the  first  objective  is  to  develop  a  security  system 
which  will  supplement  systems  similar  to  Mu  tics  as  implemented  on  uie 
Honeywell  6180. 

1.2  Scope  of  the  Project 

Computer  security,  particularly  in  the  military  environment,  has 
many  components  --  physical  security,  user  ai  thentication,  etc.  Various 
of  these  components  are  being  addressed  in  a  number  of  current  projects. 

The  objectives  of  this  project  are  (i)  to  develop  a  model  which 
imposes  the  governmental  security  scheme  on  an  open-computing  environ¬ 
ment  and  (ii)  to  investigate  the  security  properties  and  ramifications 
J  sucn  a  model.  In  this  context,  'open  environment'  has  two  meanings 
f Anderson  [1,  Vol .  II,  p.  4]).  First,  we  mean  a  situation  where  not 
all  system  users  are  cleared  for  the  classification  of  information 
being  processed  on  the  system.  Second,  we  mean  that  users  are  able  to 
program  in  assembly  language  or  any  common  higner-level  language.  Cur¬ 
rently,  these  situations  create  unacceptable  security  hazards  in  exist¬ 
ing  systems. 
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1.3  Some  Problems  Not  Being  Addressed 

As  Indicated  above,  some  aspects  of  the  overall  computer  security 
problem  will  not  be  addressed  in  this  project.  For  example,  we  assume 
that  some  external  agent  is  responsible  for  the  assignment  of  security 
clearances  to  individual  users  and  we  do  not  address  the  problem  of 
providing  physical  security  to  objects  such  as  terminals,  transmission 
lines,  tapes,  cards,  disks,  etc. 

The  important  problem  of  user  authentication  at  log-on  is  not 
addressed  in  this  project.  (This  problem  is  another  project  assigned 
to  FSD/DCW.)  We  also  have  no  intention  of  attempting  to  verify  the 
correctness  of  all  available  software  on  the  system,  although  we  shall 
be  concerned  with  controlling  the  potential  damage  caused  by  faulty 
routines. 


liie  Proposed  Method  of  Attack 


An  essential  aspect  of  computer  system  development  and  implementa¬ 
tion  is  the  conceptualization  of  system  structure.  The  stucture  pro¬ 
posed  for  this  development  is  a  hierarchy  of  layers,  hardware  and/or 
software,  each  of  which  provides  one  or  more  machines,  virtual  or  real, 
to  higher  layers  and  external  system  users  [2].  From  the  perspective 
of  the  operating  system  and  users,  the  lowest  layer  contains  a  hardware/ 
software  subsystem  called  the  security  kernel ,  which  handles  the  basic 
protection  and  security  on  the  system.  Higher  layers,  supported  by  the 
kernel,  will  make  the  system  more  convenient  for  the  user. 

In  specifying  and  implementing  the  security  kernel,  two  conflicting 
-quirements  must  be  resolved.  On  one  hand,  the  kernel  should  be  as 
small  as  possible,  since  the  correctness  of  its  functions  must  be  care¬ 
fully  checked.  However,  to  provide  adequate  security,  it  appears  that 
many  subsystems  such  as  I/O  handlers  must  be  included  in  the  kernel, 
greaJy  enlarging  its  size.  This  increases  significantly  the  difficulty 
\crifying  the  kernel;  in  fact,  the  feasibility  of  doing  so  becomes 
extremely  dependent  on  the  structure  of  the  kernel. 


2 


V 


1.5  General  Methodology 

Initially  the  levels  of  abstraction  approach  to  the  development 
of  a  security  kernel  seemed  more  promising  than  other  alternatives. 

The  methodology  involves  the  stepwise  refinement  of  computational  tasks 
and  has  proved  effective  in  the  construction  of  algorithms  and  sub¬ 
systems  to  perform  specific  functions.  However,  a  closer  inspection  of 
the  basic  assumptions  of  stepwise  refinement  or  levels  of  abstraction 
methodology  indicated  several  difficulties  In  its  straightforward  ap¬ 
plication  to  the  computer  system  security  problem. 

We  can  regard  the  stepwise  refinement  technique  of  algorithm 
(system)  construction  as  a  methodology  for  the  organization  of  design 
decisions.  A  fundamental  assumption  of  the  stepwise  refinement  method¬ 
ology  is  that  the  design  decisions  are  directed  toward  a  well-defined 
goal  and  are  restricted  by  a  clearly  specified  set  of  constraints. 

That  is,  in  the  construction  of  an  algorithm  by  the  stepwise  refine¬ 
ment  technique,  the  intended  function  of  the  algorithm  is  assumed  to  be 
well-defined.  Moreover,  the  decision  steps  are  guided  by  constraints 
such  as  the  set  of  available  operations  on  the  machine  or  in  the  pro¬ 
gramming  language. 

Precisely  these  basic  assumptions  were  not  satisfied  in  the  case 
of  computer  system  security.  While  a  well -accepted  statement  of  the 
military  security  system  existed,  a  precise  and  consistent  interpre¬ 
tation  in  a  computer  system  application  did  not.  Furthermore,  the 
constraints  of  the  computer  security  problem  were  not  well -understood, 
e.g.,  the  security  implications  of  certain  operations  on  user  data  were 
unclear. 

Consequently,  the  initial  phase  of  the  project  consisted  of 
specifying  precisely  the  goal  and  constraints  of  computer  system  secur¬ 
ity  in  the  context  of  the  military  security  requirements. 

The  approach  taken  has  been  to  develop  uninterpreted  abstract 
models  of  security.  This  allows  us  to  extract  the  most  important 
features  of  a  given  situation  and  to  obtain  results  which  apply  to 
other  similar  situations.  Our  first  model  gives  a  difinition  of 
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security  which  applies  to  a  wide  variety  of  situations. 

The  models  developed  in  this  project  are  not  independent.  At  the 
most  abstract  level,  a  set  of  models  address  different  aspects  of  the 
problem.  Subsequent,  more  specific  models  will  refine  and  possibly 
combine  one  or  more  previous  models.  Hence,  later  models  will  be  pos¬ 
sible  interpretations  of  previous  models. 

The  goal  of  this  approach  is  to  develop  a  model  which  describes 
in  detail  the  security  kernel  in  a  secure  computing  system.  The  con¬ 
straints  which  guide  this  approach  are  provided  (i)  by  the  definition 
of  security  given  in  the  most  abstract  models  and  (ii)  by  implementa¬ 
tions  and  hardware  considerations. 

The  success  of  this  model  refinement  technique  will  have  several 
clear  benefits.  We  will  have  defined  a  model  which,  if  correctly  im¬ 
plemented,  will  ensure  secure  behavior  according  to  a  precise  defini¬ 
tion  of  security.  In  addition,  this  model  will  provide  a  precise 
definition  of  the  goal  and  constraints  for  a  stepwise  implementation 
of  a  security  kernel. 

1.6  An  Outline  of  the  Report 


This  report  presents  versions  of  the  two  models  which  we  have 
developed  so  far.  The  model  described  in  Chapter  2  formalizes  the 
intended  effect  of  the  military  clearance/classification  system. 

It  models  the  security  system  as  a  set  of  abstract  entities: 
information  repositories,  each  having  some  given  security  class,  and 
agents,  also  having  security  classes.  The  agents  may  observe  and 
modify  various  of  the  repositories.  After  some  formalization,  the 
fundamental  result  of  Chapter  2  is  given  in  a  Basic  Security  Theorem. 
This  theorem  states  that  if  the  security  axioms  are  enforced,  then  no 
information  can  be  transferred  to  an  unsafe  place.  The  limitation  of 
the  Chapter  2  security  model  is  that  it  is  static  —  not  allowing  for 
the  creation  or  deletion  of  repositories  or  agents. 

Chapter  3  then  introduces  the  concept  of  a  directory  system  on  the 
Chapter  2  model.  By  introducing  Files  and  Directories  as  repositories 
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this  model  becomes  less  abstract  than  that  of  the  Chapter  2  model. 

As  the  file  system  proposed  in  Chapter  3  is  not  the  only  conceivable 
design.  Appendix  A  explores  two  alternate  file  systems  which  we 

investigated. 

2.  THE  BASIC  MODEL 

2.1  Introduction 


The  objective  of  this  chapter  is  to  develop  a  general  model  for 
an  information  processing  system  which  is  "secure  in  that  it  allows 
access  to  information  only  as  defined  by  rules  governing  the  dispersal 
of  classified  information"  [7].  The  resultant  model  will  serve  as  a 
definition  of  mandatory  security  in  subsequent  chapters. 

Design  requirements  are  to  provide  a  "military  time-sharing  sys¬ 
tem  operating  in  multilevel  security  mode"  [9,  p.  IV-28].  That  is, 

"a  mode  of  operation  under  an  operating  system  ...  which  provides  a 
capability  permitting  various  levels  and  categories  or  compartments 
of  material  to  be  concurrently  stored  and  processed  in  an  ADP  system. 

In  a  remotely  accessed  resource-sharing  system,  the  material  can  be 
selectively  accessed  and  manipulated  from  variously-controlled  ter¬ 
minals  by  personnel  having  different  security  clearances  and  access 
approvals..."  (DOD  5200:28-M  as  quoted  by  Downey)  [9,  p.  IV-28].  The 
system  must  be  secure  in  the  sense  that  it  permits  no  "unauthorized 
disclosure  of  information"  [5,  p.  14]. 

The  pioneering  work  of  Lampson  [4]  was  followed  in  the  partition¬ 
ing  of  the  information  store  into  a  set  of  disjoint  repositories  (ob¬ 
jects)  and  the  use  of  a  set  of  agents  (domains  or  subjects)  for  the 
processing  and  transferring  of  the  stored  information.  The  repositories 
are  passive  information-storing  elements  in  the  system.  The  informa¬ 
tion  stored  in  a  repository  can  only  be  modified  by  an  agent,  and  that 
modification  can  only  be  detected  by  another  agent  through  an  observa¬ 
tion.  Information  is  transferred  from  one  repository  to  another  by 
an  observation  of  the  first  repository  by  an  agent  and  the  modification 
of  the  second  by  the  same  agent.  The  modification  is  expected  to 
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reflect  che  info»tnation  stored  In  the  first  repository  by  an  appro¬ 
priate  change  in  the  information  stored  in  the  second.  Since  all 
transfers  are  from  repository  to  repository  through  an  agent,  it  is 
possible  to  control  information  flow  in  the  system  by  controlling  the 
observation  and  modi f i cation  privileges  of  each  of  the  agents. 

The  repository  is  the  smallest  unit  of  information  storage  to 
which  obrervation  and  modification  access  is  controlled.  All  infor¬ 
mation  stored  in  a  repository  is  thus  considered  to  be  of  uniform 
sensitivity.  As  a  measure  of  this  level  of  sensitivity,  a  security 
class  is  associated  with  each  repository.  There  may  be  several  re¬ 
positories  with  the  same  security  class.  The  set  of  repositories  is 
thus  subdivided  into  disjoint  subsets  of  repositories  with  equal  se.ur- 
ity  class  which  will  therefore  have  the  same  mandatory  access  restric¬ 
tions. 

Rather  than  keeping  lists  specifying  which  agents  can  access  which 
subset  cf  repositories,  we  associate  a  security  class  with  each  agent. 
The  sec  or  security  classes  then  becomes  a  common  measure  which  makes 
the  set  of  agents  and  set  of  repositories  comparable  and  which  can  be 
used  to  determine  what  observations  and  modifications  are  to  be  per¬ 
mitted. 

For  motivation  of  the  method  of  solution  and  of  the  terminology, 
let  us  consider  the  Air  Force  regulations  and  procedure  for  preventing 
compromise  of  classified  information.  For  this  purpose,  repositories 
are  documents,  and  agents  are  personnel.  The  security  class  of  a 
document  is  its  classification,  and  the  securi*.y  class  of  an  indivi¬ 
dual  is  his  clearance.  An  individual  may  read  (observe)  a  document, 
only  if  its  classification  is  less  than  or  equai  to  his  clearance. 
Notice  that  this  is  a  necessary  but  not  a  sufficient  condition.  It 
gives  a  basis  for  controlling  observations,  but  there  must  a  so  be  a 
basis  for  determining  which  modifications  should  be  allowed.  Recall 
that  our  objective  is  to  prevent  unauthorized  disclosure.  Information 
must  not  be  transferred  to  a  repository  with  security  class  lower  than 
that  of  the  source  repository.  In  order  to  prevent  any  agent  from 
transferring  information  to  a  repository  with  insufficient  security 
class  in  the  model,  an  agent  will  not  be  allowed  to  modify  a  repository 
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unless  Its  security  class  is  greater  than  or  equal  to  that  of  the 
agent. 

In  the  preceding  paragraphs  there  is  a  relation  on  the  set  of 
security  classas  implied  by  the  comparisons  between  elements.  Let  us 
consider  what  properties  the  relation  must  have.  Certainly  an  agent 
with  gmn  security  class  (clearance)  should  be  allowed  by  the  manda¬ 
tory  st'turity  system  to  observe  or  modify  any  repository  with  the  same 
security  class  (classification).  Then  since  every  security  class  must 
be  less  than  or  equal  to  itself,  the  relation  must  be  reflexive.  In 
order  to  control  possible  information  transfer  from  one  repository  to 
anolner  through  one  or  more  intermediate  repositories,  it  is  necessary 
that  the  relation  be  transitive. 

According  to  Popek  [8,  Chap.  5]  in  his  general  treatment  of  ac¬ 
cess  maps  using  restriction  graphs,  the  relation  on  the  set  of  security 
classes  can  be  a  partial  ordering.  However,  antisymmetry  is  not  essen¬ 
tial  for  the  basic  theorem  of  this  chapter.  It  is  sufficient  to  assume 
that  the  relation  on  the  set  of  security  classes  is  a  pre -ordering. 

In  contrast  to  Schiller  [8]  we  believe  that  what  he  calls  the 
"control  structure"  of  the  system  is  integrally  related  to  the  "Infor¬ 
mation  structure,"  and  that  penetration  attacks  on  this  control  struc¬ 
ture  must  be  prevented  by  applying  certain  restraints  in  the  model 
rather  than  by  giving  the  system  designer  the  "responsibility  to  sys¬ 
tematically  determine  all  possible  channels  through  the  control  struc¬ 
ture  in  his  system,  and  whether  or  ..Gt  the  transmission  rate  from  their 
use  In  a  penetration  is  acceptable"  [10,  p  7]. 

Conceptually,  a  repository  is  any  object  in  the  system  which  can 
be  modified  in  such  a  way  that  this  modification  can  be  subsequently 
observed.  Each  process  in  a  computer  should  be  interpreted  to  be  an 
agent;  however,  since  the  state  of  a  process  (running,  blocked,  ready, 
etc.)  is  information  which  can  be  modified  and  observed  by  other  sys¬ 
tem  elements,  a  process  must  also  be  considered  to  be  a  repository, 
and,  accordingly,  its  state  information  must  be  protected  by  the 
security  kernel.  The  proposed  model  is  intended  to  be  sufficiently 
general  to  include  all  possible  information  channels.  We  believe  that 
to  leave  large  classes  of  potential  information  channels  to  be 
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systematically  discovered  and  dealt  with  by  the  system  designer  is  to 
circumvent  the  very  idea  of  design  through  mathematical  models. 

2.2  Basic  Elements,  Functions,  and  Relations 

We  now  Introduce  some  notation  and  formalize  the  ideas  discussed 
in  the  preceding  section. 

The  model  for  mandatory  security  in  an  information  processing 
system  Is  an  8-tuple: 

Mo  =  (R,A,C,Q,\i,4,Cll>,CVi) 

where 

R  Is  a  set  of  repositories. 

A  is  a  set  of  agents. 

C  Is  a  set  of  security  classes. 

0C  AxR  is  the  "observe"  relation,  (a  0  r  means  that  agent  a^ 
can  observe  the  information  stored  in  repository  £.) 
uQAxR  Is  the  "modify"  relation,  (ay  r  means  that  agent  ^  can 
modify  the  information  stored  in  repository  r.) 

<CCxC  is  a  pre-ordering  of  the  set  of  security  classes. 

Ch> :  R  C  is  the  "classification"  function  which  associates  a 

security  class  with  each  repository.  (Informally  Ch>[ r) 
will  be  referred  to  as  the  classification  of  repository 
r.) 

Cbx ■  A  ->-  C  is  the  "clearance"  function  which  associates  a  security 
class  with  each  agent.  (Here  again  CVi( aj  will  be  re¬ 
ferred  to  as  the  clearance  of  agent  a_. ) 

The  model  MQ  can  be  illustrated  by  the  following  picture: 
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2.3  Axioms 


The  mcf'el  MQ  has  four  axioms.  The  first  two  simply  state  ex¬ 
plicitly  that  the  relation  <  is  a  pre-ordering  of  the  set  C  of  security 
classes. 

Al:  For  all  c  e  C,  c  3  c.  (<  is  reflexive.) 

A2:  For  all  c,  d,  e  e  C,  c  <  d  and  d  $  e  implies  c  <  e.  (<  is 
transitive.) 

The  second  two  axioms  state  the  conditions  necessary  for  observation 
and  modification  by  agents. 

A3:  For  all  a  t  A  and  r  e  R,  a  9  r  Implies  Cfca(r)  3  CVi[ a). 

(That  Is,  if  agent  a_  can  observe  repository  r^,  then  the 

clearance  of  a_must  be  greater  than  or  equal  to  the 
classification  of  r. ) 

A4:  For  all  a  e  A  and  r  e  R,  a  p  r  Implies  CVi{i)  <  C£a(r). 

(That  Is,  If  an  agent  a  can  modify  repository  r,  then 

the  clearance  of  a^  is  less  than  or  equal  to  the  classi¬ 
fication  of  r.  Agent  a^  can  modify  only  those  reposi¬ 
tories  with  equal  or  higher  security  class.) 

2.4  The  Basic  Security  Theorem 

Using  these  four  axioms,  we  now  prove  that  in  MQ  no  information 
can  ever  be  transferred  to  a  repository  in  which  it  can  be  observed 
by  an  agent  that  does  not  have  sufficient  clearance  to  observe  the 
source  repository. 

In  preparation  for  the  statement  and  proof  of  the  basic  security 
theorem  about  M  ,  we  make  the  following  definitions. 

Define  the  "transfer"  relation  tCRxR  by  r  t  s  if  and  only  If 
there  Is  an  agent  a_  such  that  a_  9  r_  and  a  y  i»  where  r_  and  £  are  re¬ 
positories.  Thus  r  t  £  means  that  there  is  an  agent  which  can  trans¬ 
fer  information  from  repository  r  to  repository  £.  It  is  actually 
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the  transitive,  reflexive  closure  i*  of  i  which  is  needed  in  the 
theorem,  since  r  t*  s^  means  that  information  can  eventually  be  trans¬ 
ferred  from  r  to  s..  In  this  case  there  is  a  finite  sequence  ;<f  re¬ 
positories  {r^}  such  that  Lp  £  If,+l  ’  and  -iT-i4-l  ^or 
1  s  i  c  n. 

Further,  if  r  x*  s_,  then  we  say  there  is  an  information  transfer 
path  from  repository  r  to  repository 

THEOREM:  If  there  is  an  information  transfer  path  from  repository  r 
to  repository  s^  in  M  ,  then  Cle>(r)  <  C£a( s). 

PROOF:  By  definition,  if  there  is  an  information  path  from  reposi¬ 

tory  r^  to  repository  s_,  then  r^  x*  s_.  We  first  establish 
that  r  -  s  implies  C£a(r)  <  Ch>{ s).  For  if  H  t  £  then 
there  is  an  agent  a_  such  that  a^  0  r^  and  aji  s.  By  axioms 
A3  and  A4,  C£a(r)  4  CV t(a_)  and  CVi{ a)  *  Ch>[ s).  By  transi¬ 
tivity  of  4,  C£a(r)  <  Cl&( s). 

Now  define  a  new  relation  AC  RxR  by  r  A  £  if  and  only  if  Cti(r)  < 
Ch>[s).  (That  is,  r  A  ^  means  the  security  class  of  r  is  less  than  or 
eaual  to  the  security  class  of  s..) 

Notice  that  A  is  a  reflexive  and  transitive  relation.  For  any  r  c  R, 
axiom  A1  states  that  Ch>[r)  <  Ch>{  r),  and  so  r  Ar  (i.e.,  A  is  re¬ 
flexive)  by  the  definition  of  the  relation  A.  If  r ,  s,  t  e  R,  such 
that  r  A  s  and  s  A  t^,  then,  by  the  definition  of  A,  C£a(r)  <  CIa{s) 
and  Cl&( s)  <  Ch>{t).  By  axiom  A2,  Cl&( r)  <  Cli(t),  and,  again  by 
definition  of  A,  r  A  t^(i.e.,  A  is  transitive). 

The  relation  A  contains  the  relation  t,  since  r_  x  s_  implies 
C£i(r)  <  CZa{s},  which  implies  r  A  s.  Recall  that  by  definition  the 
relation  x*  is  the  minimal  transitive,  reflexive  relation  containing 
the  relation  x.  It  follows  that  the  relation  x*  is  contained  in  the 
relation  A.  This  proves  the  theorem,  since  for  r,  s_  e  R,  r.  x*  s^  im¬ 
plies  r  A  s,  which  implies  Cls(r)  <  CIa(s). 
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2.5  The  Air  Force  Security  Lattice 

The  applicability  of  to  a  system  which  enforces  the  Air  Force 
clearance/classification  and  compartmentalization  restrictions  will  be 
demonstrated  by  showing  that  these  two  schemes  can  be  combined  to  give 
&  single  set  of  security  classes.  Air  Force  "need-to-know"  restric¬ 
tions  have  not  been  included  because,  as  will  be  shown  in  the  next 
section  (2.6),  strict  mandatory  enforcement  of  need-to-know  gives  a 
system  of  limited  usefulness,  and  it  does  not  model  the  actual  military 
use  of  need-to-know. 

In  a  computer  system  application,  need-to-know  will  be  implemented 
through  access  control  lists.  The  system  cannot  be  expected  to  decide 
which  names  and  access  rights  should  be  put  on  the  access  control  lists, 
but  it  must  be  certified  that  the  lists  are  implemented  and  maintained 
correctly.  It  is  more  realistic  in  this  Instance  to  allow  the  creator/ 
owner  of  a  repository  (file)  or  the  project  director  to  decide  who  shall 
have  access  to  a  given  repository.  The  user  gives  access  rights  at  his 
own  discretion,  with  full  confidence  that  no  programming  error  or  over¬ 
sight  will  defeat  the  mandatory  enforcement  of  clearance/classification 
and  compartmentallzatlon  restrictions  by  the  system  kernel. 

See  Downey's  discussion  of  the  three  dimensions  of  military  security 
and  user  responsibility  [9,  Sec,  3.1,  p.  IV-28].  Notice  that  our  model 
does  not  give  the  user  as  much  responsibility  as  Downey  suggests.  In  our 
model  if  a  user  has  observe  access  to  a  repository,  he  may  do  whatever  he 
pleases  with  the  information  stored  there;  however,  he  may  not  use  the 
facilities  of  the  system  to  pass  It  to  an  unauthorized  user,  nor  can  an 
unknown  program  bug  divulge  it.  The  user  is  also  ensured  that,  while  a 
borrowed  program  may  destroy  or  change  information  to  which  he  has 
modify  access,  it  will  not  transfer  information  to  any  repository  where 
it  would  be  observable  by  anyone  with  lower  security  class.  (A  malicious 
borrowed  program  is  often  called  a  "Trojan  Horse."  [1,  Vol .  II,  p.  50]. 
Since  the  system  cannot  appraise  user  intentions,  it  prohibits  inten¬ 
tional  as  well  as  unintentional  unauthorized  disclosures. 

Let  us  now  write  out  the  details  of  the  security  lattice  which  de¬ 
scribes  the  Air  Force  classification  system.  Let  Sen  be  the  set  of 
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sensitivity  levels  (i.e.,  unclassified,  confidential,  secret,  etc.). 

Sen  is  a  lattice  because  it  is  linearly  ordered. 

Let  Cmp  be  the  set  of  compartments  of  subject  matter  (China, 
nuclear,  etc.).  Generally  the  information  stored  in  a  given  reposi¬ 
tory  may  be  included  in  more  than  one  compartment,  hence  the  component 
of  a  security  class  concerned  with  compartmentalization  will  actually 
be  a  subset  of  compartments  to  which  the  information  belongs.  Although 
all  possible  subsets  of  Cmp  may  not  be  needed  in  practice,  our  formal 
treatment  will  use  the  entire  power  set  P(Cmp)  of  Cmp.  P(Cmp)  is  a 
lattice  naturally  ordered  by  set  inclusion.  The  two  lattices  Sen  and 
P(Cmp)  can  be  combined  to  form  the  product  Sen*P{Cmp )  which  is  itself 
a  lattice  (MacLane  and  Sirkhoff  [6,  p.  489])  with  order  relation  defined 
as  follows:  for  (c,D) ,(e,F)eSenxP(Cmp) ,  (c,D)  <  (e,F)  if  and  only  if 
c  <;  e  in  Sen  and  DQF  in  P(Cmp).  Thus  an  agent  may  observe  a  reposi¬ 
tory  only  if  the  classification  level  of  the  repository  is  less  than 
or  equal  to  the  clearance  level  of  the  agent  artf  the  set  of  compart¬ 
ments  associated  with  the  repository  is  a  subset  of  the  set  of  com¬ 
partments  associated  with  the  agent. 

Since  the  set  CQ  s  ScnxP(Cmp)  is  a  lattice,  under  the  ordering 
<  defined  above,  axiom  A1  and  A2  will  be  satisfied.  Being  a  lattice, 

CQ  has  stronger  properties  than  required  for  mandatory  security  as 
defined  by  MQ.  While  not  necessary,  those  additional  properties  may 
be  useful  in  practice.  For  example,  given  any  two  classes  in  CQ,  there 
is  a  minimal  class  which  is  greater  than  or  equal  to  either  one.  Also, 
CQ  has  a  greatest  and  a  least  element. 

The  basic  theorem  then  states  that,  in  a  system  which  uses  the 
Air  Force  security  lattice  CQ  to  restrict  the  observe  and  modify  re¬ 
lations  according  to  axioms  A3  and  A4,  there  can  be  no  transfer  of  in¬ 
formation  from  a  repository  with  one  sensitivity  and  set  of  compartments 
to  a  repository  with  lower  sensitivity  or  smaller  set  of  compartments. 
And,  since  the  only  access  to  repositories  is  through  agents,  there  can 
be  no  unauthorized  disclosure  of  information. 

The  modeled  system  is  quite  similar  to  the  real  world  except:  for 
axiom  44  which  states  that  an  agent  may  not  modify  a  repository  with 
lower  security  class.  Under  that  restriction,  if  agents  are  acting 
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or  behalf  of  system  users,  a  user  who  has,  say,  secret  clearance  could 
not  send  an^  information  to  an  uncleared  user  through  the  system.  This 
is  necessary  since  the  system  cannot  interpret  which  information  is 
classified  and  which  is  not. 

To  realistically  apply  the  basic  theorem  to  the  Air  Force  security 
procedure,  we  might  suggest  that  a  person  be  allowed  to  operate  as  an 
agent  with  any  clearance  up  to  and  including  his  actual  clearance.  This 
places  the  responsibility  on  the  user  to  decide  at  which  level  he  should 
operate.  In  making  the  decision  to  operate  at  a  reduced  clearance,  the 
user  relinquishes  the  right  to  observe  any  material  classified  higher 
than  his  "working  level."  In  this  way  axiom  A4  can  be  satisfied  and  the 
result  of  the  theorem  ensured. 

2.6  A  Hypothetical  Need-To-Know  Clearance  Lattice 

The  Air  Force  further  ensures  the  privacy  and  integrity  of  infor¬ 
mation  by  requiring  that,  to  access  information,  one  must  not  only  have 
proper  clearance  but  must  also  have  established  a  "need-to-kriow"  *or  the 
information.  The  fact  that  Jones  is  cleared  to  see  material  in  a  given 
security  class  does  not  mean  he  can  read  a  document  with  that  classifi¬ 
cation  written  by  Smith,  unless  he  has  been  extended  the  proper  need- 
to-know  authorization.  In  attempting  to  describe  this  need-to-know 
security  scheme,  it  is  natural  to  try  to  fit  it  into  the  basic  security 

model  M  of  Section  2.3. 
o 

When  we  describe  need-to-know  security  in  terms  of  Mq,  we  interpret 
the  set  C  of  security  classes  as  being  the  new  set  Cj,  described  below. 
Let  U  be  the  set  of  users  of  the  system,  and  define  Cj  to  be  the  power 
set  of  users  P (U ) .  Define  the  ordering  <  on  Cj  to  be  reverse  set  in¬ 
clusion  (i.e.,  B  *  D  if  and  only  if  DCB).  This  relation  is  reflexive, 
since  for  all  BeP(U),  BCB.  The  relation  <  is  also  transitive  since 
if  B  ^  D  and  D  <  F,  then  DCB  and  F  C  D,  so  by  the  transitivity  of  C, 
FCB  (which  r  ';ates  that  B  <  F).  Accordingly,  <  is  a  preordering  of 
Cj,  as  required  by  axioms  A1  and  A2. 

In  this  example,  the  classification  function  Cl&  will  assign  to 
each  repository  r.  a  set  of  users  Cti(r)  who  are  allowed  to  observe  the 
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cortents  of  repository  £  (i.e.,  who  have  the  "need-to-know"  authoriza¬ 
tion  for  repository  r). 

The  clearance  function  Cl a  will  assign  to  each  agent  a_ a  set  of 
users  Cl\[a)  who  are  represented  by  the  agent  a_.  Now  axiom  A3  says 
that,  In  order  for  agent  a^  to  observe  repository  r,  Ct&{r)  <  Cti(a). 

In  other  words,  the  set  of  users  who  are  represented  by  agent  ^  are  a 
subset  of  the  users  who  are  allowed  to  observe  repository  r. 

Axiom  A4,  on  the  other  hand,  says  that,  in  order  for  an  agent  a^ 
to  modify  a  repository  r,  the  set  of  users  whom  the  agent  a_  represents 
must  include  the  set  of  users  who  can  observe  repository  r .  When  we 
apply  the  security  theorem  of  Section  2.4  to  this  example,  we  see  that 
information  cannot  be  passed  to  repositories  which  larger  sets  of 
users  can  observe.  For  example,  it  Is  impossible  to  pass  the  infor¬ 
mation  in  a  repository  to  a  user  who  does  not  already  have  access  to 
the  information  in  the  repository,  since  this  amounts  to  "declassi¬ 
fying  !l  this  Information. 

Unfortunately,  this  security  scheme  is  much  too  rigid  to  be  of  any 
use,  except  perhaps  in  the  special  case  of  a  small  environment.  As  we 
have  just  seen,  it  is  impossible  to  straightforwardly  give  a  new  user 
Jones  access  to  the  contents  of  a  repository  r^ which  was  created  before 
it  was  decided  that  Jones  had  a  "need-to-know"  the  contents  of  r.  One 
way  around  this  difficulty  might  be  to  recreate  the  contents  of  r  In  a 
new  repository  r1  which  Includes  Jones  in  its  "need-to-know"  classifi¬ 
cation.  This  process  would  involve  accessing  all  the  repositories 
which  we  used  when  we  initially  created  the  contents  of  r\  If  Jones 
is  not  "need-to-know"  classified  to  see  some  of  these  repositories, 
they  will  also  have  to  be  reconstructed.  The  process  of  reconstruction 
would  continue  until  we  reach  a  collection  of  repositories,  all  of  which 
Jones  has  access  to.  This  could  certainly  be  a  costly  and  cumbersome 
process. 

An  alternative  approach  would  be  to  have  a  security  officer  auth¬ 
orize  the  direct  transfer  of  the  contents  of  repository  £  to  reposi¬ 
tory  r 1 •  However,  if  repository  r_  is  frequently  updated,  this  approach 
will  require  frequent  actions  by  the  security  officer,  and  this  really 
circumvents  the  mandatory  security  system.  It  is  natural  then  to  direct 
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all  subsequent  updates  to  repository  r_'  rather  than  repository  r_.  "hi s 
means  that  all  agents  which  modify  r_*  will  have  to  include  Jones  among 
the  users  they  iepresent,  and  this  means  that  Jones  will  have  to  be  in¬ 
cluded  in  the  classification  of  all  repositories  which  these  agents  ob¬ 
serve  whi’e  updating  r.' .  Accordingly,  all  of  these  repositories  will 
have  to  be  "declassified"  by  the  security  officer.  This  leads  to  tht 
same  proliferation  problem  which  we  saw  previously. 

Because  of  these  problems,  we  are  led  to  introduce  a  less  strict 
"need-to-know"  security  system  in  which  the  responsibility  for  pro¬ 
tecting  the  contents  of  repositories  is  left  to  the  users.  We  will 
refer  to  this  system  as  the  discretionary  security  system. 

This  system  involves  attaching  to  each  repository  a  list  of  users 
who  a.'«  allowed  to  observe  the  contents  of  that  repository.  There  is 
a  major  disadvantage  to  this  system:  if  we  let  user  Smith  observe  one 
of  our  repositories,  we  cannot  be  certain  that  he  will  not  pass  the 
contents  along  to  user  Jones.  This  is  similar,  however,  to  the  real 
world  situation. 

An  advantage  of  the  discretionary  security  system  is  that  we  only 
have  to  check  whether  one  user  is  on  a  need-to-know  list  rather  than 
having  to  check  whether  one  list  of  users  is  contained  in  another  list 
of  users.  Checking  for  individual  membership  is  usually  much  faster 
than  checking  for  containment. 

There  is  another  security  problem  which  the  discretionary  security 
system  should  confront,  and  that  is  the  problem  of  sabotage.  We  could 
construct  a  strict  "need-to-modify"  security  system  to  deal  with  this 
problem,  but  it  would  be  just  as  cumbersome  as  the  strict  "need-to-know" 
system.  The  proposed  discretionary  security  system  will  deal  with  this 
problem  by  attaching  to  each  repository  a  list  of  users  who  are  allowed 
to  modify  the  contents  of  that  repository. 

Since  the  discretionary  security  is  not  as  strict  about  control¬ 
ling  access  to  repositories  as  the  mandatory  security  is,  we  will  pro¬ 
vide  the  user  with  additional  mechanisms  for  controlling  his  agents. 
These  will  take  the  form  of  agent  privileges  which  the  user  may  selec¬ 
tively  revoke. 

In  this  chapter  it  was  our  intention  to  define  security  in  terms 
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of  a  mandatory  scheme  involving  security  classes.  When  we  tried  to 
apply  this  sort  of  security  scheme  to  need-to-know  security,  we  were 
led  to  the  idea  of  a  discretionary  security  system  which  the  users  will 
apply.  This  discretionary  security  is  one  of  the  topics  to  be  con¬ 
sidered  in  future  work. 

The  next  chapter  pursues  tne  interaction  between  directory  struc¬ 
tures  and  mandatory  security. 

3.  A  DIRECTORY  STRUCTURE  MODEL 

3.1  Introduction 


Our  approach  to  building  secure  computer  systems  involves  de¬ 
scribing  a  variety  of  models  which  capture  different  aspects  of  the 
problem  in  varying  degrees  of  detail.  In  this  chapter,  we  will  be 
concerned  with  a  model  which  adds  additional  structure  to  the  set  of 
repositories  discussed  in  Section  2  of  the  preceeding  chapter.  We  will 
explore  the  additional  restrictions  which  this  structure  and  the  secu¬ 
rity  axioms  A3  and  A4  imply. 

Most  large  computer  systems  use  a  directory  scheme  to  structure 
their  file  systems,  so  we  will  model  this  sort  of  repository  structure. 
Certain  computer  applications  such  as  question  answering  systems  re¬ 
quire  more  complex  data  structures,  and  it  will  eventually  be  impor¬ 
tant  to  explore  the  security  requirements  of  such  systems.  A  brief 
study  of  more  complex  data  structures  indicates  that  they  require  con¬ 
siderably  more  complex  security  restrictions,  so,  for  the  moment,  we 
will  confine  our  attention  to  directory  structures. 

3 . 2  The  Basic  Objects,  Functions  and  Relations 


Formally,  this  model  concerns  three  sets,  two  functions  and  four 
relations.  Several  of  these  concepts  were  introduced  in  the  model  in 
the  preceeding  chapter. 

A  =  a  set  of  agents. 
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C  =  *  sst  of  security  classes  - 

F  =  a  tree  cf  files  (directories  and  segments). 

On:  A  -*•  C  is  a  clearance  function  for  agents. 

Cl&t  F  -*•  C  is  a  classification  function  for  files. 

3  Q  C*C  is  the  preordering  of  the  security  classes. 

eQAxF  is  the  "can  observe"  relation  between  agents  and 
files. 

u  Q  A*F  is  the  "can  modify"  relation  between  agents  and 
files. 

£  C  FxF  is  the  "dominates"  relation  between  files.  (This 
relation  will  be  used  to  indicate  that 
the  files  form  a  tree.) 

The  tree  structure  of  the  files  is  a  reflection  of  the  directory 
naming  scheme  for  addressing  segments.  Each  directory  contains  pointers 
to  other  directories  and  segments  which  it  directly  dominates. 

The  following  picture  illustrates  the  various  sets,  functions,  and 
relations  involved  in  i  model: 


Now  we  will  discuss  the  axioms  which  formally  describe  .his  model. 


3.3  Axioms 


The  first  four  axioms  are  retained  from  the  preceeding  chapter. 

Axl:  For  all  security  classes  c  in  C,  c  <  c  {<  is  re¬ 
flexive)  . 

0*2:  For  any  security  classes  c-j ,  c2,  c3  in  C,  if  c-j 
<  c2  and  c,  4  c^,  <.hen  c^  1  c^  (* 
is  transitive). 

Ax3:  For  any  agent  a  in  A  and  file  f  in  F,  a  6  f  im¬ 
plies  that  CU( f)  <  C£a( a).  (Agents 
can  only  observe  files  of  classifica¬ 
tion  less  than  or  equal  to  their 
clearance.) 

Ax4:  For  any  agent  a  in  A  and  file  f  in  F,  a  y  f  im¬ 
plies  that  C£a( a)  <  C^a(f).  (Agents 
can  only  modify  files  of  equal  or 
higher  classification.) 

The  next  four  axioms  formalize  the  tree  structure  of  the  set  of 
files. 

Ax5:  For  all  files  f  in  F,  f  6  f  (5  is  reflexive). 

Ax6:  For  any  files  f  and  g  in  F,  if  f  6  g  and  g  6  f, 

then  f  =  g  (6  is  antisymmetric) 

Ax7:  For  any  files  f,  g,  and  h  in  F,  if  f  6  g  and  g  6 

h,  then  f  6  h  (6  is  transitive). 

Ax8:  For  any  files  f,  g,  and  h  in  F,  if  g  6  f  and  h  6 

f,  then  g  6  h  or  h  6  g  (6  has  the  tree 

property). 

The  next  axiom  reflects  the  fact  that  in  a  directory  system, 
when  a  directory  is  deleted,  all  the  files  below  that  directory  become 
inaccessible. 


19 


Ax9:  For  any  agent  a  in  A  end  any  files  f  and  g  in  F, 
if  a  6  g  and  f  6  g,  then  a  6  f.  (If 
an  agent  can  observe  a  file,  then  it 
can  observe  any  directory  which 
dominates  the  file.) 

This  axiom  recognizes  certain  implicit  information  paths  which  result 
from  the  nature  of  the  directory  system.  To  illustrate  the  difficulty, 
suppose  that  an  agent  a/  deletes  a  directory  £  which  dominates  a  file 
1,  then  another  agent  a_ can  tell  that  the  file  £  is  no  longer  obser¬ 
vable.  This  constitutes  a  potential  communication  path  between  a'  and 
a.  In  effect,  £  can  make  a  limited  observation  of  directory  f_  by 
determining  whether  file  £  is  still  observable.  (See  Lampson  [3]  for 
a  discussion  of  similar  problems.) 

Axiom  AxlO  is  introduced,  because,  in  most  computer  systems,  when 
an  individual  tries  to  write  on  a  file  f  which  he  is  not  allowed  to 
access,  he  gets  an  error  message.  The  presence  or  absence  of  this 
error  message  constitutes  an  observation  of  the  file  £. 

AxlO:  For  all  agents  £  in  A  and  files  f  in  F,  if  apf, 
then  a  0  f.  (An  agent  can  observe  all 
files  which  he  can  modify.) 

It  would  certainly  be  possible  to  build  systems  in  which  no  informa¬ 
tion  would  be  given  regarding  whether  or  not  a  modify  command  was  suc¬ 
cessfully  carried  out,  but  such  systems  would  be  unpleasant  to  use. 

A  more  sophisticated  system  might  not  return  information  about  the 
success  of  modifications  of  files  when  the  clearance  of  the  agent  was 
strictly  less  than  the  classification  of  the  file. 

3.4  Implication  of  the  Axioms 

In  this  section  we  will  explore  some  of  the  consequences  of  the 
axioms  introduced  in  the  preceeding  section.  Some  of  these  consequences 
lead  us  to  introduce  another  axiom. 
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To  begin  with,  we  see  that  axioms  Ax 9  and  Ax3  combine  to  give  us 

Proposition  1:  For  any  agent  a  in  A  and  any  files  f  and  g  in  F,  if 

a  0  g  and  f  6  g,  then  C£a(f)  <  CIa( a). 
(An  agent  must  have  a  clearance  which 
Is  greater  than  or  equal  to  the  clas¬ 
sification  of  any  directory  in  which 
it  observes  a  file.) 

Axiom  Ax9  says  that,  if  a  0  g  and  f  6  g,  then  a  e  f.  Axiom  Ax3  says 
that,  if  a  0  f,  then  C£a(f}  $  C£/i(a),  so  the  proposition  follows  im¬ 
mediately. 

In  order  to  state  the  next  proposition  concisely,  we  Introduce 
the  equivalence  relation  =  on  the  security  classes  C  which  is  naturally 
defined  from  the  preordering  <  by 

c-j  =  c2»  if  and  only  if  c-j  *  c2  and  c2  «  c^. 

Axiom  AxlO  then  leads  to 

Proposition  2:  For  all  agents  a  in  A  and  files  f  In  F,  if  a  p  f, 

then  C£*(a)  =  C£a(f).  (Agents  can  only 
modify  files  whose  classification  is 
equivalent  to  their  clearance.) 

First  note  that  axiom  Ax4  says  that,  If  a  y  f,  then  CJU{ a)  <  Cl&{ f). 

Now  axiom  AxlO  states  that  if  a  y  f,  then  a  0  f,  and  axiom  Ax3  states 
that  if  a  0  f,  then  Cls(f)  <!  CVi{&).  So,  by  the  definition  of  =, 

CU{&)  =  Cli{  f). 

Proposition  1,  axiom  AxlO,  and  the  first  four  axioms  have  the 
following  consequence. 

Proposition  3:  For  any  agent  a  in  A  and  any  files  f  and  g  in  F,  if 

a  y  g  and  f  5  g,  then  C£a(f)  *  C£a( g). 
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(A  file  which  can  be  modified  by  some 
agent  must  have  a  classification  which 
is  greater  than  or  equal  to  the  clas¬ 
sification  of  any  directory  which 
eventually  contains  it.) 

Axiom  Ax4  says  that,  if  a  y  g,  then  C£/t(a)  <  g).  Now  note  that 

AxlO  asserts  that,  if  a  u  g,  then  a  0  g.  So  we  can  invoke  Proposition 

1  which  says  that,  if  a  0  g  and  f  6  g,  then  Cta(f)  3  CVi{ a).  Using 

the  transitivity  of  4  (Ax2),  Ct&( f)  3  Cln( a)  3  C£a(g)  implies  Cta(f)  3 
Cta(g)  as  desired. 

The  implications  of  Proposition  3  are  clearer  if  we  state  it  in 
cont^apositive  form. 

Coro! 1  ary  1 :  For  any  agent  a  in  A  and  files  f  and  g  in  F,  if  f  6  0 

and  Cl&[ f)  ^  C£s(g),  then  not  a  \i  g. 

(No  agent  can  modify  a  file  £  which 
is  contained  in  a  directory  whose  clas¬ 
sification  is  not  less  than  or  equal  to 
the  classification  of  the  file  £. ) 

This  corollary  motivates  us  to  Introduce  another  axiom  in  order  not  to 
have  a  file  system  which  is  cluttered  with  useless,  unmodifiable  files. 

Axil:  For  any  files  f  and  g  in  F,  if  f  6  g,  then  C£a(f) 

<  C£a(g).  (Every  directory  has  an 
equal  or  lower  classification  than  any 
file  it  eventually  contains.) 

It  is  interesting  to  note  that  wo  no  longer  need  axiom  fk  9  to 
prove  Propositions  1,  2,  and  3.  Proposition  3,  which  motivated  our 
new  axiom,  is  an  immediate  consequence  of  Axil.  The  proof  of  Proposi¬ 
tion  2  did  not  use  Ax9,  so  only  Proposition  1  needs  to  be  reproved. 

Proposition  4:  Axioms  Ax2,  fk3,  and  Axil  imply  Proposition  1.  If  we 
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assume  a  0  g  and  f  6  g,  then  we  must 
prove  that  Cli(f)  «  Cta(a).  Axiom  Axil 
says  that  if  f  6  g,  then  Cti(f)  <  CU{ g). 
Ax3  says  that,  if  a  0  g,  then  C£a(g)  * 
CVl[ a).  So,  by  the  transitivity  of  < 
(Ax2),  Cta(f)  <  C-ta(g)  <!  CM(a)  implies 
Cta(f)  <  CJU( a). 

The  axioms  and  propositions  developed  in  this  section  will  he  used 
to  formulate  more  detailed  dynamic  models  of  security  systems. 

Axiom  Axil  and  Propositions  1  and  2  are  of  particular  importance 
in  handling  directory  structured  file  systems. 
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4.  CONCLUSION 


4.1  Sunwary 

The  preceeding  two  chapters  set  forth  the  first  two  models  in  a 
projected  series  of  mathematical  models  whose  purpose  is  to  give  a 
systematic  presentation  of  the  specification  for  a  secure  military 
computing  system.  The  first  model  gave  an  overview  of  the  design  ob¬ 
jective  of  the  security  system.  The  soundness  of  this  design  was 
established  by  proving  a  basic  security  theorem  about  it. 

The  second  model  concerns  the  security  aspects  of  classified  in¬ 
formation  in  a  oirectory-structured  file  system.  Here,  the  conse¬ 
quences  of  certain  straight-forward  assumptions  about  the  nature  of 
the  directory  structures  —  together  with  the  basic  axioms  of  the 
first  model  --  made  evident  the  desirability  of  imposing  additional 
restrictions  on  the  classifications  of  directories  and  segments.  This 
development  illustrates  one  of  the  hoped-for  benefits  ot  formulating 
a  concise  mathematical  description  of  the  proposed  design,  namely, 
that  design  decisions  can  be  based  on  logical  consequences,  rather 
than  just  seat-of-the-pants  intuition. 

Two  additional  topics  were  treated  as  an  adjunct  to  these  models. 
The  first  was  the  formulation  of  a  mathematical ly-precise  definition 
of  the  governmental  classification  scheme.  The  second  was  a  discus¬ 
sion  of  the  inappropriateness  of  using  the  general  model  of  security 
to  describe  "need  to  know"  type  restrictions.  Other  sorts  of  mech¬ 
anisms  will  have  to  be  introduced  into  the  design  at  a  later  stage 
of  development  in  order  to  handle  "need  to  know"  security  properly. 
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4.2  Future  Topics 


The  two  models  developed  so  far  are  actually  static  models  in 
that  the  overall  structure  of  the  objects  described  does  not  change. 
However,  the  computer  system  for  which  we  are  giving  specifications 
will  change  things  over  Jie  course  of  time.  Accordingly,  at  some 
level  of  detail  dynamic  models  must  be  introduced.  In  particular, 
the  model  at  the  next  level  of  detail  will  be  an  automaton  that  re¬ 
flects  the  possible  changes  of  security  state  which  our  system  can 
go  through.  In  addition,  the  various  security  related  functions 
which  processes  on  the  system  can  perform  must  be  specified. 

Chapter  2  did  resolve  the  problem  cf  finding  an  adequate 
discretionary  security  system  to  handle  "need  to  know"  type  security. 
Providing  this  type  of  security  is  very  Important  both  because  it 
prevents  information  from  being  widely  disseminated  on  a  giver, 
security  level  and  hence  being  more  vulnerable  to  compromise  ar.d  also 
because  it  prevents  over-classification  of  Information  by  allowing 
individuals  to  work  on  material  at  a  low  classification  level  with 
full  confidence  that  it  will  not  be  compromised  by  the  system. 

In  addition  to  providing  a  complete  description  of  the  full  set 
of  operations  to  be  provided  by  the  virtual  machine  which  constitutes 
the  security  system,  this  project  should  provide  descriptions  of  the 
virtual  machines  which  are  the  various  levels  of  abstraction  neces¬ 
sary  to  Implement  this  security  system  on  the  hardware  which  is 
available. 

A  long-range  objective  of  this  project  Is  to  discover  general 
techniques  which  will  allow  an  even  more  systematic  design  of  future 
security  systems.  This  objective  makes  it  Imperative  to  develop  this 
particular  design  In  as  clearly  structured  a  way  as  possible,  so  that 
the  underlying  principles  can  be  discovered. 
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APPENDIX  A 


ALTERNATE  FILE  SYSTEMS 


Introduction 


The  particular  directory  system  presented  in  Chapter  3  resulted 
from  making  specific  choices  or  assumptions  from  a  set  of  design  al¬ 
ternatives.  Other  choices  or  assumptions  lead  to  alternate  schemes, 
and  in  this  Appendix,  two  such  schemes  are  oresented. 

A1 .  Directory  Trees  as  Repositories 

From  human  engineering  considerations,  it  has  been  suggested  that 
security  classes  within  a  directory  may  inconvenience  system  users. 

Hence,  in  this  example,  we  Investigate  a  multics-like  directory  system 
in  which  there  Is  no  distinction  of  security  classes,  within  a  directory. 

An  immediate  consequence  is  that  there  must  be  a  different  direc¬ 
tory  tree  for  each  security  class.  It  follows  then  that  a  user  may  no 
longer  have  all  of  his  repositories  In  one  directory  or  even  in  the 
same  directory  tree. 

In  a  directory  tree,  the  repositories  (or  tree  leaves)  are,  in 
effect,  named  by  the  path  from  the  tree  root  to  the  leaf.  Then  reposi¬ 
tories  on  different  directory  trees  can  be  in  the  same  position  and 
thus  have  the  same  name.  In  this  situation,  the  only  way  to  distin¬ 
guish  them  would  be  by  naming  the  tree,  or  giving  the  security  class, 
and  thus  the  security  class  becomes  a  necessary  component  of  every  re¬ 
pository  specification. 

In  effect,  this  approach  leads  to  a  single  directory  tree  as  does 
the  model  in  Chapter  3.  In  this  case,  however,  the  root  node  has  dif¬ 
ferent  characteristics  from  other  tree  nodes.  The  root  node  has  a 
fixed  number  of  branches,  precisely  the  number  of  security  classes. 

It  would  appear  that  this  approach  does  little  to  reduce  user  in¬ 
convenience. 
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A2.  Uncleared  Directories 


In  this  example,  the  attempt  is  again  made  to  remove  security  class 
checking  along  paths  to  a  segment  by  removing  security  classes  from 
directories,  but  retaining  security  classes  for  segments. 

First  we  must  recognize  that  every  object  has  a  security  class; 

"no  classification"  being  the  minimum  class  possible.  In  this  case, 
that  would  be  the  security  class  of  every  directory.  The  directory 
names  constitute  some  "information,"  and  hence  directories  must  be 
created  by  executors  with  the  corresponding  minimum  clearance. 

One  must  also  recognize  that  the  name  of  an  object  is  a  piece  of 
information,  disjoint  from  the  ooject  Itself.  In  this  example,  the 
question  arises  of  what  classification  to  give  to  the  name  of  a  clas¬ 
sified  segment.  In  the  Chapter  3  model,  the  segment  "name"  had  the 
security  class  of  the  appropriate  directory.  Consequently,  this  model 
makes  explicit  a  second  form  of  security  checking  which  is  done  im¬ 
plicitly  by  the  Chapter  3  model.  Regardless  of  the  security  class  of 
the  Information  in  a  segment,  the  kernel  cannot  admit  the  existence 
of  that  segment  unless  the  requesting  executor  has  the  necessary  clear¬ 
ance  to  know  the  segment  name.  It  is  again  possible  to  have  different 
segments  created  with  the  same  name,  distinguished  only  by  the  security 
class,  and  security  class  is  a  necessary  part  of  a  segment  name  in  this 
example. 

Security  checking  in  this  system  requires  more,  work  than  tne 
Chapter  3  model  with  no  attendant  advantages.  In  fact,  rather  chan 
being  more  convenient,  the  A.l  and  A. 2  models  appear  to  be  less  con¬ 
venient  to  the  user  than  the  model  of  Chapter  3. 
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NOTATION 


Page  Number  of 

Symbols  Descriptions  Defining  Occurrences 


1 

Mo 

The  most  primitive  security  model 

8 

R 

Set  of  information  repositories 

8 

A 

Set  of  agents 

8 

C 

Set  of  security  classes 

8 

Cls 

Classification  function  for 
repositories 

8 

Ctx 

Clearance  function  for  agents 

8 

•j 

Pre-ordering  of  security  classes 

8 

i 

e 

The  "can  observe"  relation  between 
agents  and  repositories 

8 

, 

u 

The  "can  modify"  relation  between 
agents  and  repositories 

8 

A1 

Security  axiom  1 

10 

t 

A2 

Security  axiom  2 

10 

\ 

A3 

Security  axiom  3 

10 

A4 

Security  axiom  4 

10 

T 

The  " information  can  pass"  relation 
between  repositories 

11 

* 

T* 

The  "information  can  eventually  pass" 
rc  laticn 

11 

1 

X 

The  "lower  classification"  relation 
on  repositories 

11 

Sen 

The  set  of  sensitivity  levels 

12 

Cmp 

The  set  of  security  compartment 

13 

Co 

The  governmental  Security  Lattice 

13 

r 

u 

The  set  of  users 

14 
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F  The  set  of  files  18 

6  The  "dominates"  relation  on  the  set 

of  files  18 

Axl  -  Axil  Directory  model  Axioms  19-22 

=  The  equivalence  relation  on  C 

induced  by  the  partial  ordering  21 


